The Iptables firewall allows only the specified IP connection to specify the port, access the specified Web site

Last Update:2017-02-28 Source: Internet

Author: User

Tags mail iptables firewall

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Need to open port 80, specify IP and LAN

The following three lines mean:

Shut down all 80 ports first.

Open 80 ports of IP segment 192.168.1.0/24 end

Open IP Segment 211.123.16.123/24 80 port IP Segment

# iptables-i input-p TCP--dport 80-j DROP

# iptables-i input-s 192.168.1.0/24-p tcp--dport 80-j ACCEPT

# iptables-i input-s 211.123.16.123/24-p tcp--dport 80-j ACCEPT

These are temporary settings.

1. Backup Iptables First

# cp/etc/sysconfig/iptables/var/tmp

2. Then save the Iptables

# Service Iptables Save

3. Reboot the firewall

#service iptables Restart

The following is the port, and then open some IP first

Iptables-i input-p TCP--dport 9889-j DROP

Iptables-i input-s 192.168.1.0/24-p TCP--dport 9889-j ACCEPT

If you use NAT forwarding, remember to cooperate with the following to be effective

Iptables-i forward-p TCP--dport 80-j DROP

Iptables-i forward-s 192.168.1.0/24-p TCP--dport 80-j ACCEPT

The common iptables rules are as follows:

You can only send and receive mail, everything else is closed

Iptables-i Filter-m mac--mac-source 00:0f:ea:25:51:37-j DROP

Iptables-i filter-m mac--mac-source 00:0f:ea:25:51:37-p UDP--dport 53-j

Iptables-i filter-m mac--mac-source 00:0f:ea:25:51:37-p tcp--dport 25-j ACCEPT

Iptables-i filter-m mac--mac-source 00:0f:ea:25:51:37-p tcp--dport 110-j ACCEPT

IPSEC NAT Policy

Iptables-i pfwanpriv-d 192.168.100.2-j ACCEPT

Iptables-t nat-a prerouting-p tcp--dport 80-d $INTERNET _addr-j dnat--to-destination 192.168.100.2:80

Iptables-t nat-a prerouting-p tcp--dport 1723-d $INTERNET _addr-j dnat--to-destination 192.168.100.2:1723

Iptables-t nat-a prerouting-p UDP--dport 1723-d $INTERNET _addr-j dnat--to-destination 192.168.100.2:1723

Iptables-t nat-a prerouting-p UDP--dport 500-d $INTERNET _addr-j dnat--to-destination 192.168.100.2:500

Iptables-t nat-a prerouting-p UDP--dport 4500-d $INTERNET _addr-j dnat--to-destination 192.168.100.2:4500

NAT for FTP server

Iptables-i pfwanpriv-p TCP--dport 21-d 192.168.100.200-j ACCEPT

Iptables-t nat-a prerouting-p tcp--dport 21-d $INTERNET _addr-j dnat--to-destination 192.168.100.200:21

Only allow access to the specified URL

Iptables-a filter-p UDP--dport 53-j ACCEPT

Iptables-a filter-p TCP--dport 53-j ACCEPT

Iptables-a filter-d www.3322.org-j ACCEPT

Iptables-a filter-d img.cn99.com-j ACCEPT

Iptables-a filter-j DROP

Open some ports for one IP, others are closed

Iptables-a filter-p TCP--dport 80-s 192.168.100.200-d www.pconline.com.cn-j

Iptables-a filter-p TCP--dport 25-s 192.168.100.200-j ACCEPT

Iptables-a filter-p TCP--dport 109-s 192.168.100.200-j ACCEPT

Iptables-a filter-p TCP--dport 110-s 192.168.100.200-j ACCEPT

Iptables-a filter-p TCP--dport 53-j ACCEPT

Iptables-a filter-p UDP--dport 53-j ACCEPT

Iptables-a filter-j DROP

Multiple ports

Iptables-a filter-p tcp-m multiport--destination-port 22,53,80,110-s 192.168.20.3-j REJECT

Continuous port

Iptables-a filter-p tcp-m multiport--source-port 22,53,80,110-s 192.168.20.3-j REJECT iptables-a filter-p TCP--so Urce-port 2:80-s 192.168.20.3-j REJECT

Specify time to surf the internet

Iptables-a filter-s 10.10.10.253-m time--timestart 6:00--timestop 11:00--days mon,tue,wed,thu,fri,sat,sun-j DROP

Iptables-a filter-m time--timestart 12:00--timestop 13:00--days mon,tue,wed,thu,fri,sat,sun-j ACCEPT

Iptables-a filter-m time--timestart 17:30--timestop 8:30--days mon,tue,wed,thu,fri,sat,sun-j ACCEPT

Prohibit multiple port services

Iptables-a filter-m multiport-p TCP--dport 21,23,80-j ACCEPT

To have a WAN port Nat to a PC

Iptables-t nat-a prerouting-i $INTERNET _if-d $INTERNET _addr-j dnat--to-destination 192.168.0.1

The WAN Port 8000 Nat to 192. 168. 100. 200 of 80 ports

Iptables-t nat-a prerouting-p tcp--dport 8000-d $INTERNET _addr-j dnat--to-destination 192.168.100.200:80

Port to which the mail server is to be transferred

Iptables-t nat-a prerouting-p tcp--dport 110-d $INTERNET _addr-j dnat--to-destination 192.168.100.200:110

Iptables-t nat-a prerouting-p tcp--dport 25-d $INTERNET _addr-j dnat--to-destination 192.168.100.200:25

Only Ping 202 is allowed. 96. 134. 133, other services are prohibited

Iptables-a filter-p icmp-s 192.168.100.200-d 202.96.134.133-j ACCEPT

Iptables-a filter-j DROP

Disable BT Configuration

Iptables–a filter–p tcp–dport 6000:20000–j DROP

Disable QQ firewall configuration

Iptables-a filter-p UDP--dport! 53-j DROP

Iptables-a filter-d 218.17.209.0/24-j DROP

Iptables-a filter-d 218.18.95.0/24-j DROP

Iptables-a filter-d 219.133.40.177-j DROP

Based on Mac, can only send and receive mail, others reject

Iptables-i Filter-m mac--mac-source 00:0a:eb:97:79:a1-j DROP

Iptables-i filter-m mac--mac-source 00:0a:eb:97:79:a1-p tcp--dport 25-j ACCEPT

Iptables-i filter-m mac--mac-source 00:0a:eb:97:79:a1-p tcp--dport 110-j ACCEPT

Disable MSN Configuration

Iptables-a filter-p UDP--dport 9-j DROP

Iptables-a filter-p TCP--dport 1863-j DROP

Iptables-a filter-p TCP--dport 80-d 207.68.178.238-j DROP

Iptables-a filter-p TCP--dport 80-d 207.46.110.0/24-j DROP

Only Ping 202 is allowed. 96. 134. 133 Other public network IP are not allowed ping

Iptables-a filter-p icmp-s 192.168.100.200-d 202.96.134.133-j ACCEPT

Iptables-a filter-p icmp-j DROP

To prevent a MAC address from accessing the Internet:

Iptables-i Filter-m mac--mac-source 00:20:18:8f:72:f8-j DROP

To prohibit ping of an IP address:

Iptables–a filter–p icmp–s 192.168.0.1–j DROP

Prohibit an IP address service:

Iptables–a filter-p tcp-s 192.168.0.1--dport 80-j DROP

Iptables–a filter-p udp-s 192.168.0.1--dport 53-j DROP

Only certain services are allowed, others are rejected (2 rules)

Iptables-a filter-p tcp-s 192.168.0.1--dport 1000-j

Iptables-a filter-j DROP

Prohibit a port service for an IP address

Iptables-a filter-p tcp-s 10.10.10.253--dport 80-j

Iptables-a filter-p tcp-s 10.10.10.253--dport 80-j DROP

Prohibit a port service for a MAC address

Iptables-i filter-p tcp-m mac--mac-source 00:20:18:8f:72:f8--dport DROP

To prevent a MAC address from accessing the Internet:

Iptables-i Filter-m mac--mac-source 00:11:22:33:44:55-j DROP

To prohibit ping of an IP address:

Iptables–a filter–p icmp–s 192.168.0.1–j DROP

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More